Skip to main content

Advisories

MICROSOFT Warns Against Malicious Email Campaign from NOBELIUM

Description

Microsoft security researchers uncovered a sophisticated malicious email-based campaign operated by malicious threat actors, identified as NOBELIUM, who are behind the attacks against SolarWinds. Microsoft is alerting organizations using Microsoft solutions to help them understand the pattern of this malicious activity and how
to best protect against it.

Security Risks
NOBELIUM payloads have been mainly delivered via phishing emails through malicious HTML documents, URLs and ISO files. If the payload is installed successfully on the target computer, the threat actor can be able to perform malicious activities such as data exfiltration and the delivery of additional malware.
When a NOBELIUM malicious link/document is opened by the targeted user, a JavaScript within the HTML writes an ISO file to disc and pushes the target to open it, resulting in the ISO file being mounted much like an external or network drive. From here, a shortcut file (LNK) would execute an accompanying DLL, which would result in
Cobalt Strike Beacon executing on the system.

Mitigations
The National Cyber Security Authority (NCSA) recommends administrators to take note of the following and implement them as soon as possible:

  • Apply the latest released security patches across all Microsoft products and software in use in your environment;
  • Keep monitoring the networks and systems for any suspicious activity;
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet;
  • Implement centralized log management for host monitoring;
  • Increase your visibility into your network by finding unmanaged devices on your network and onboarding them to the endpoint protection solutions and services in use in your environment;
  • Turn on cloud-delivered protection in your antivirus software, if applicable, to cover rapidly evolving attacker tools and techniques;
  • Enable multifactor authentication (MFA) for every account to mitigate compromised credentials;
  • Educate and warn users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spear-phishing emails.

For further information and support, please contact the National Cyber Security Authority (NCSA) by email torwcsirt@ncsa.gov.rw or call us on 9009

Reference
Microsoft Corporation - Security Updates
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

https://blogs.microsoft.com/on-the-issues/2021/05/27/nobelium-cyberattack-nativezone-solarwinds/

The Hacker News
https://thehackernews.com/2021/05/solarwinds-hackers-target-think-tanks.html